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Mr Allan Chiang 

Privacy Commissioner for Personal Data 

Office of the Privacy Commissioner for Personal Data 
12/F, 248 Queen’s Road East 

Wanchai 

Hong Kong 


BY FAX AND BY HAND 


Dear Allan, 


Sharing of Positive Mortgage Data 


Further to my letter to you dated 23 February 2011, I am writing regarding 
the comments of the Hong Kong Bar Association (“HKBA”) in its 
submission on the Consultation Document which it has posted on its website. 
Our views, mainly in relation to legal issues raised by the HKBA, are set out 
below. Please also note that we have in parallel initiated discussions with the 
HKBA in order to address the points raised in its submission to your office. 


Paragraph 9 


The HKBA remarked in paragraph 9 that the Code of Practice on Consumer 
Credit Data (the “Code”) has shifted from a pro-privacy initiative to a 
mechanism for legitimising “privacy-intrusion”. We do not think this is a 
reasonable description of the purpose or intention of introducing positive or 
negative credit data sharing which in our view involves important public 
interest concerns. Specifically, we are of the view that any change in the law 
or the Code is about finding the right balance between the privacy interests of 
individuals and the public interest at a given point of time as the right to 
personal data privacy is not absolute. The principal objective of the industry 
proposal is to promote responsible lending and borrowing and prevent over- 
borrowing and in so doing enhance the overall financial stability in Hong 


Kong. We note that HKBA itself also recognises that reducing risk of 
defaults is a laudable aim. 


Paragraphs 23 to 34 


According to the HKBA (see paragraphs 31 & 32 of its submissions), since 
there is no evidence on the extent to which individuals are taking on 
mortgages in relation to non-residential property and the delinquency rates in 
relation to such mortgages, or evidence that the borrowers are being 
untruthful, the case for saying that the additional data which the credit 
reference agency (“CRA”) should be permitted to collect are “necessary and 
not excessive” (for the purpose of assessing the credit worthiness of the 
individuals to which the data relate) does not begin to be made out. The 
HKBA further states in paragraph 33 that unless and until such a case is 
made out on the basis of compelling evidence, the proposal to expand the 
mortgage data that the CRA is permitted to collect must be rejected because 
it has not been shown that DPP1(1) would be complied with. 


The reason why we have not provided the evidence mentioned is because 
without positive mortgage data sharing, we have no means of collecting such 
data as customers are unlikely to admit they have been untruthful and they do 
not necessarily borrow only from one bank but from different banks so each 
bank is not able to conduct a proper and comprehensive credit risk 
assessment. There are nevertheless anecdotal evidence of property borrowers 
getting mortgage loans from different banks. You would recall in November 
last year we sent you the attached newspaper clipping (at Annex 1) of a 
pensioner who was speculating in property by borrowing from multiple 
banks who were unable to verify her credit worthiness due to a lack of 
positive mortgage data sharing. There is no reason to assume that this type 
of behaviour is exceptional. 


Furthermore, from a legal perspective, DPP1(1) provides that: 


“(1) Personal data shall not be collected unless — 
(a) the data are collected for a lawful purpose directly related 
to a function or activity of the data user who is to use the 
data; 


(b) subject to paragraph (c), the collection of the data is 
necessary for or directly related to that purpose; and 


(c) the data are adequate but not excessive in relation to that 
purpose.” 


It is important to note that there is no requirement under DPP1(1) that the 
purpose for which the data is collected has to be substantiated or validated by 
evidence. DPP 1(1) places no limit on the purpose for which data may be 


collected, as long as it is collected for a lawful purpose, which is directly 


related to a function or activity of the data user. The industry proposal is 
therefore clearly consistent with DPP1(1)(a) since the data are collected by 


the CRA for a lawful purpose directly related to its function or activity as a 
credit reference agency, i.e. to create a credit profile of borrowers for credit 
risk assessment purposes. DPP1(1)(c) then requires the data to be “adequate 


but not excessive” in relation to that purpose. DPP1(b) provides that subject 
to (c), the collection is necessary for or directly related to such a lawful 
purpose. 


We would also like to draw reference to the book entitled “Data Protection 
Principles of Personal Data (Privacy) Ordinance — from the Privacy 
Commissioner’s perspective (2nd Edition)” published by your office. 
According to paragraph 5.9 of the book, the Privacy Commissioner has 
expressed the view that in considering whether the collection of data is in 
compliance with DPP(1) in the absence of any applicable code of practice, 
the following are relevant factors to be considered: 


(a) the particular function or activity to which the collection of the 
data concerned is considered directly related; 


(b) the degree of sensitivity of such data; 


(c) the legitimate purposes to be served in collecting the personal 
data and the adverse impact on personal data privacy; 


(d) whether there is a real need (i.e. the likelihood of such need 
arising) for the data to be collected in order to carry out that 
function or activity; and 


(e) whether there is any realistic and less privacy intrusive 
alternative for attaining the purpose of collection. 


In the context of the industry proposal which will require changes to the 
Code, we and the industry have considered carefully the above factors. The 
data that will be contributed by the credit providers to the CRA are set out in 
paragraph 4.2(b)(i) of the Consultation Document, which according to the 
industry, are the minimum that are necessary to enable the CRA to identify 
accurately each individual involved in a consumer mortgage loan and 
compile the mortgage count. Indeed, it has been indicated in paragraph 5.31 
of the Consultation Document that subject to the determination on the types 


of mortgage loans to be covered under Issue 1, the proposed types of data 
items to be contributed and assessed “represent the minimum amount of data 
necessary for the purposes of assessing the credit risk of consumer credit 
applications”. Besides, it is proposed that the credit providers will have 
access to the mortgage count only, instead of the entirety of the data 
contributed to the CRA by credit providers as set out in paragraph 4.2(b)(i) of 
the Consultation Document. There is also no realistic alternative for 
achieving the purpose of collection of the data in respect of pre-existing 
mortgages. Based on the above, we have been advised by our Office of the 
General Counsel that there is no contravention of DPP1(1), and the data that 
are to be collected by the CRA as a credit reference agency appear to be 


33) 66 


“necessary”, “adequate” and “not excessive”. 


Paragraphs 39 to 50 


The HKBA takes the view that the transfer of the positive mortgage data to 
the CRA would be contrary to DPP3 (see paragraphs 44 and 47 of its 
submission). DPP3 is set out below: 


“Personal data shall not, without the prescribed consent of the data subject, 
be used for any purpose other than — 


(a) the purpose for which the data were to be used at the time of 
collection of the data; or 


(b) a purpose directly related to the purpose referred to in 
paragraph (a).” 


The HKBA relies on the guidance provided by your office’ on how you 
would interpret DPP3: 


“In assessing whether the act in question is done for a “directly related 
purpose” and thus covered by DPP3(b), the Commissioner will take into 
account factors such as: 


= the nature of the transaction giving rise to the need for using 
the personal data; and 


The HKBA quoted paragraph 7.25 from the older version of the book entitled Data Protection 
Principles of Personal Data (Privacy) Ordinance — from the Privacy Commissioner’s perspective, 
Office of the Privacy Commissioner for Personal Data, August 2007. The same paragraph 
appears in the 2010 version at paragraph 7.26. 


= the reasonable expectation of the data subject.” (Emphasis 
added.) 


The HKBA argues that since the transfer of the positive mortgage data to the 
CRA was not permitted under the Code at the time when the data were 
collected, the data subject would not have expected this to occur. 
Accordingly, it takes the view that the transfer will not be done for the 
purpose for which the data were to be used at the time of collection of the 
data or for a directly related purpose. 


First and foremost, we would like to point out the stance adopted by your 
office as demonstrated by paragraph 1.12 of the aforesaid guidance is for 
reference only and it was stated in the guidance that such stance shall not 
bind your office in the exercise of the Commissioner’s statutory functions in 
any way. Furthermore, it was stated that rather than relying on such views 
the reader is urged to exercise independent judgement on the interpretations 
of the data protection principles and where appropriate avail himself of 
professional advice. 


In conjunction with our Office of the General Counsel, I have considered the 
legal opinion of Senior Counsel obtained on this matter, which the industry 
has previously submitted to you, and agree with his detailed analysis based 
on a purposive construction of DPP3. In particular, we agree that all the 
DPPs should be read together and should be construed purposively to 
promote the objectives of the Personal Data (Privacy) Ordinance (“PDPO”). 
DPP3(a) refers to the purpose for which the data were to be used at the time 
of collection of data (“Original Purpose”), while DPP3(b) refers to a directly 
related purpose. In constructing what is the Original Purpose, the data user 
may have informed the data subject the Original Purpose explicitly, or in the 
absence of any explicit communication, the Original Purpose may be 
implied.” In determining the implied purpose for which the personal data 
were collected at the time of collection, all circumstances, including the 
reasonable expectation of the data subjects are relevant. Applying this to the 
industry proposal, it must have been within the reasonable expectation of the 
customer when applying for a loan that his personal data would be used for 
creating a credit profile to enable the proper assessment of credit risk. 
Therefore, we are of the view that the transfer of the data to the CRA to 
enable the creation of a credit profile for risk evaluation is within the 
Original Purpose albeit such purpose is an implied purpose. In this 





DPP1(3) provides that data user must take all practical steps to explicitly inform a data subject 
of the purpose for which data are collected. Since this is not an absolute obligation, this shows 
that the Original Purpose may be implied in the absence of any explicit communication by the 
data user to the data subject . 





connection, please see paragraphs 19 to 24 of Senior Counsel’s Opinion at 
Annex 2. 


Further or in the alternative, we rely on DPP3(b) which enables the use of 
personal data for a directly related purpose to enable the transfer of personal 
data to the CRA. This is because the transfer of data to the CRA to enable 
the creation of a credit profile of the customer is directly related to the 
Original Purpose of credit risk assessment. 


In contrast to DPP3(a), when determining the directly related purpose (which 
is not confined to the time of collection of data), the question is determined 
by whether it is directly related to the Original Purpose and is not dependent 
on whether the customer reasonably contemplated or expected that directly 
related purpose at the time of the mortgage loan application when the 
personal data were collected. In this connection, we refer you to paragraphs 
25 to 31 of Senior Counsel’s opinion at Annex 3. 


Apart from the MPF example cited in the Senior Counsel’s opinion at 
paragraphs 28 to 30, the Senior Counsel’s view is also supported by the 
Administrative Appeals Board (“AAB”) decision of #¢#/A v Privacy 
Commissioner for Personal Data, AAB No. 41/2006. In this case, the 
appellant provided her personal data, including her name, address, and 
telephone number to the management company when she complained about 
the foul smell in the corridor outside her flat. The appellant had expressly 
told the representative of the management company that if it decided to make 
a report to the police, the management should preserve her anonymity. The 
AAB upheld the views of the then Privacy Commissioner and ruled that 
although the management company had promised the appellant that it would 
not disclose her personal data to the police, when the management company 
provided the appellant’s personal data to the police, it was using the personal 
data for a purpose which was directly related to a purpose for which her data 
were collected in the first place. It is worth pointing out that in this case the 
ruling was made even though the transfer of information to the Police was 
not within the appellant’s reasonable contemplation at the time the data was 
collected nor had the appellant given her prescribed consent for the transfer. 
Applying this case to the industry proposal, it would seem even if the 
uploading of such data to CRA was not within the applicant’s reasonable 
contemplation, the data can still be uploaded to CRA as this serves a directly 
related purpose. 





On the facts of this case, section 58(2)(a)of the PDPO provides that personal data are exempt 
from the provisions of DPP3 anyway. However, the decision contains detailed analysis on how 
DPP3 is to be applied and why the agreement between the data subject and the data user was 
irrelevant in considering whether DPP3 has been contravened. 


Paragraphs 51 to 55 


The HKBA states in paragraph 52 of its submission that the requirement of 
the written consent of data subjects prior to access by credit providers to the 
proposed additional mortgage data does not help to address the issue 
discussed above in paragraphs 39 to 50 in relation to Issue 3. However, the 
HKBA supports and welcomes the requirement for consent as a further level 
of privacy protection for sharing of mortgage data by CRA. 


We would just emphasize that the requirement for written consent of data 
subjects is indeed an important level of privacy protection. As the transfer of 
data to the CRA is only a preparatory step, no true sharing of data will occur 
without the customer’s written consent. 


Paragraphs 56 to 60 


On the benefits of the transitional period, the HKBA should perhaps refer to 
paragraphs 5.41 and 5.42 of the Consultation Document which explain the 
transitional period in greater detail. The purpose of the transitional period is 
to ensure any positive mortgage data collected by the CRA could not be 
accessed and used during the transitional period other than new applications 
for credit facilities and certain prescribed exceptional circumstances, such as 
financial difficulties of the customer, or when there is a need for debt 
restructuring. This may be beneficial to those who have over-borrowed in 
that it would offer a longer period of time in which they would be able to re- 
assess and revise a realistic repayment schedule with their lending 
institutions. 


It is also useful to point out that under the industry proposal, a credit provider 
will have to obtain an individual's written consent to access his mortgage 
count whether before or after expiry of the transitional period. If an 
individual applies for any consumer credit from a credit provider on or after 
the proposal implementation date, that credit provider will obtain his written 
consent to access his mortgage count at the CRA. The credit provider will 
then access his mortgage count for processing that application or if the other 
specified circumstances (e.g. debt restructuring etc.) occurs during the 
transitional period, and will not otherwise access his mortgage count until 
expiry of the transitional period. There is no need to obtain the individual's 
written consent again for accessing his mortgage count after expiry of the 
transitional period because the initial written consent already covers it. On 
the other hand, if an individual does not apply for any consumer credit from 
any credit provider after the implementation date (i.e. there is no opportunity 
for any credit provider to obtain his written consent to access his mortgage 


count at the CRA), no credit provider will access his mortgage count at the 
CRA for any purpose whether during or after the transitional period. 


In line with the treatment of the HKMA’s submissions to you in response to 
the Consultation exercise, we will be posting this letter on the HKMA 
website. 


Yours sincerely, 


Arthur Yuen 
Deputy Chief Executive 


c.c. Policy 21 Limited 
The Chairman, Consumer Credit Forum 
The Chairman, HKAB 
The Chairman, DTCA 
FSTB (Attn: Miss Natalie Li) 


Encl. 


19. 


20. 


21. 


Annex 2 


Paragraphs 19 to 24 of Senior Counsel’s Opinion 


When DPP3(a) is examined it is patent that if the original purpose for 
which the data is to be used is to evidence a past, present and future 
creditworthiness profile - a necessarily dynamic position and equally an 
absolutely critical parameter for safe lending and safe borrowing — then it 
is logically the irresistible inference that this fundamental banking criterion 
was the common purpose of both the data subject and the data user. 


Every customer would instantly recognise and accept that the whole point 
(the entire purpose) of a loan application form and the decision-making 
process in relation to it, is designed to transfer determinative information 
to the bank. A bank will not lend without a proper assessment of risk. It 
follows that the customer knows and understands that the bank must be 
properly equipped to be able to make a safe evaluation. itis decisively in 
the public interest that borrowers responsibly borrow and that banks 
responsibly lend. But this optimum situation can only operate if there is a 
comprehensive verified customer profile. 


The Proposal by the CCF is manifestly in the public interest as it will 
promote safer borrowing and safer lending. It would be odd, indeed if a 
Proposal that would positively enhance the public good could be rendered 
stillborn by a misplaced anxiety over the utilization of personal data, when 
the legitimacy of banking as a core societal institution is inherently 
vulnerable to incomplete personal data. The Proposal is remedial from 
every perspective. 





22. 


23. 


24. 


Once the Proposal is analysed from the consideration that every bank 
customer knows and expects that the very essence of every loan 
application is that the bank needs assurance of the genuine credit profile, 
rather than the customer's unverified claims, then it is blindingly obvious 
that every data subject would realise and accept that the whole purpose 
for which the data is to be used is to create a credit profile for risk 
evaluation. Indeed that purpose is self-referential of banking. 


It matters not that earlier pre-PDPO loans were made without the bank 
setting out on a piece of paper just what the purpose of the data was for, 
as everyone knew then just as everyone now knows too what the purpose 
was. What has changed is the PDPO has added specific responsibilities 
that now give privacy a higher normative value than before the inception of 
the legislation. But receipt of the data was always the precondition to a 
loan as only by it could any bank exercise proper lending. | easily 
conclude that for loans made at a time when it was not unlawful to not 
provide a PDPO Notice, before or at the time of a mortgage loan 
application, Participating Institutions are fully entitled to transfer the 
positive data specified in paragraph 6(b) above to the CRA, as the very 
purpose for which the data was to be used is still the same substantive 
purpose involved in the transfer of it to the CRA, namely, to create a credit 
profile for risk evaluation. 


But whatever view may be taken under DPP3(a), there can be no doubt 
that DPP3(b) too very amply authorizes the transfer of the data to the 
CRA. DPP3(b) authorises the transfer if the purposes is “...directly related 
to the purpose referred to in paragraph (a)”. There must therefore be an 
immediate nexus between the original purpose and the later one. The 
connection should be generically referable to the original purpose and be 
the type of connection that objectively was foreseeable as either a natural 
development of or from the general nature of the original purpose. 





Annex 3 


Paragraphs 25 to 31 of Senior Counsel’s Opinion 


25. DPP3 should be interpreted in the following manner: 


(a) having regard to the wording of DPP3(a), the purposes covered by 
DPP3(a) are the purposes that were within the reasonable 
contemplation or expectation of the Customer or could be 
reasonably inferred as the customer's purpose at the time of the 
mortgage loan application when his data were collected by the 
institution to which the application was made (the “Original 
Purposes"); 


(b) DPP3(b) provides for a purpose directly related to the purpose 
referred to in DPP3(a). There is no ambiguity between the wording 
of DPP3(b) and the wording of DPP3(a). By separating DPP3(b) 
from DPP3(a) and not repeating in DPP3(b) the reference to "at the 
time of the collection of the data" which appears in DPP3(a), it is 
clear that the legislative intent is that a “directly related purpose" 
should be determined by whether it is directly related to an Original 


Purpose but without imposing a specific timeframe for the making 
of that determination. 


26. | note that the PCPD on DPP3 in its book entitled "Data Protection 
Principles in the Personal Data (Privacy) Ordinance" (the "“Book") 
considers this very issue. In particular, paragraph 7.26 of the Book 
provides that the PCPD will take into account factors, such as the 
following, in assessing whether the act in question is done for a "directly 
related purpose” and thus covered by DPP3(b): 


(a) the nature of the transaction giving rise to the need for using the 
personal data; and 





27. 


28. 


29. 


(b) the reasonable expectation of the data subject. 


For the reasons set out above, interpretation of DPP3(b) in the manner 
described in paragraph 25 above substantially reflects both the letter of 
the provision and the legislative intent. Purpose can however also be a 
matter of inference, from all the circumstances. The question as to 
whether a purpose is a “directly related purpose" is determined by whether 
it is directly related to an Original Purpose and is not dependent on 
whether the Customer reasonably contemplated or expected that "directly 
related purpose" at the time of the mortgage loan application when his 
personal data were collected. This interpretation does not contradict the 
PCPD's approach and is in accordance with both it and the careful 
dichotomy made between DPP3(a) and DPP3(b), which eliminates any 
fixed initial time-point for DPP3(b). 


Further, | note the PCPD's comment in paragraph 7.30 of the Book that in 
the context of human resource management, disclosure of employees’ 
personal data to Mandatory Provident Fund ("MPF") providers for the 
administration of the MPF scheme is an example of use of data for a 
directly related purpose. 


The MPF regime was only implemented in Hong Kong in the year 2000. 
Employers would not therefore have explicitly specified in the PDPO 
Notice distributed by them to employees before implementation of the 
MPF regime, that disclosure of employees’ personal data to MPF 
providers was an Original Purpose. Moreover, such disclosure would not 
have been in the reasonable contemplation of the employees when their 
data were collected before the implementation of the MPF regime. 








30. 


31. 


In that regard, the MPF regime is similar to the regime for sharing positive 
mortgage data in that collection of personal data pre-dated the 
implementation of the regime. On that basis of ambulatory interpretation, 
my opinion as to the interpretation of DPP3(b) is fully consistent with the 
PCPD's treatment of transfer of employees’ personal data to MPF 
providers, as being a directly related purpose in the context of human 
resources management. 


Adopting this interpretation of DPP3, granting and maintaining the 
mortgage loan are Original Purposes and ensuring ongoing credit 
worthiness of the Customer is a purpose directly related to those Original 
Purposes. Transfer of the Customer's personal data to the CRA under 
Step 1 is aimed at ensuring ongoing credit-worthiness of the Customer 
and is directly related to the Original Purposes and thus covered by 
DPP3(b). 





